HP Charts a Security Course With TippingPoint

HP now has its own security research lab, but what is it doing to improve IT security?

As part of its $2.17 billion acquisition of 3Com, HP absorbed 3Com's TippingPoint security division. A key part of TippingPoint is its DVLabs department, which both conducts vulnerability analysis and helps to build security services for TippingPoint.

Now that HP has its own security research lab, how is that work being integrated to help further security at HP?

In an interview with InternetNews.com, DVLabs Director Dan Holden explained that there is no overlap between what TippingPoint's security services offer and the core HP Networking division.

"The acquisition has been going very well because of the focus that HP has on networking now," Holden said. "It's nice that TippingPoint really is the security portion of that new networking piece as part of the 3Com acquisition."

In the wake of the 3Com acquisition, HP reorganized its networking business under the HP Networking name, which includes the former HP ProCurve assets as well as 3Com's technologies.

HP does have other security technologies on the development side, including the WebInspect dynamic analysis toolkit for Web application vulnerabilities. Holden noted that they are still in the initial stages of figuring out the synergies between the two groups.

Common threats in 2010

DVLabs is set to officially publish its mid-year threat report at the end of August, which will detail what TippingPoint has seen in terms of IT security risks so far this year. Of the total vulnerabilities, Holden said that roughly half are related to Web applications.

The big Web application threats seen so far in 2010 include cross-site scripting (XSS), SQL injection and PHP file includes.

"I think from a Web-app vulnerability standpoint, CSRF (cross-site request forgery) has become more interesting and more prevalent," Holden said.

He added that CSRF isn't currently being exploited as often as XSS or SQL injection. That said, Holden expects to see CSRF used more frequently as an attack vector moving forward in 2010 and 2011 than in previous years.

One type of attack that was a big topic for security researchers in 2008 and 2009, dubbed clickjacking, doesn't rank among the major threats, according to Holden.

"I find clickjacking to be more media hype than anything else," he said. "Clickjacking is one of those things that has been around for a long time -- someone comes up with a new name for it and it's all over the media."

DVLabs also has some unique insight into the types of vulnerabilities that other security researchers are finding. TippingPoint's Zero Day Initiative (ZDI), part of DVLabs, purchases vulnerabilities from third-party security researchers. TippingPoint is among the leaders in the security industry when it comes to paying for security research.

"We've acquired some very good vulnerabilities this year," Holden said. "We've also now started to track vulnerabilities with the CVE (Common Vulnerabilities and Exposures) numbering system and its shows everyone that these are some of the most severe vulnerabilities that are out there."

Holden added that anyone can setup a code fuzzer to find basic XSS vulnerabilities in Web applications. TippingPoint is primarily interested in vulnerabilities that will shape and reflect where the threat landscape is going.

All told, Holden sees the security research that his group does as a competitive differentiator for HP in the networking and security marketplace.

"The whole point of the security game is risk mitigation," he said. "If I know my risk is with certain vendor applications then I want to make sure that I've got the best security in place for those apps."